Version in base suite: 416~beta12-1 Base version: ckermit_416~beta12-1 Target version: ckermit_416~beta12-1+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/ckermit/ckermit_416~beta12-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/c/ckermit/ckermit_416~beta12-1+deb13u1.dsc NEWS | 11 ++++ changelog | 11 ++++ patches/openssl-check-disable | 85 ++++++++++++++++++++++++++++++++++ patches/remote-security.patch | 104 ++++++++++++++++++++++++++++++++++++++++++ patches/series | 2 5 files changed, 213 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpo49a_dy9/ckermit_416~beta12-1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpo49a_dy9/ckermit_416~beta12-1+deb13u1.dsc: no acceptable signature found diff -Nru ckermit-416~beta12/debian/NEWS ckermit-416~beta12/debian/NEWS --- ckermit-416~beta12/debian/NEWS 1970-01-01 00:00:00.000000000 +0000 +++ ckermit-416~beta12/debian/NEWS 2026-03-04 17:30:35.000000000 +0000 @@ -0,0 +1,11 @@ +ckermit (416~beta12-1+deb13u1) trixie; urgency=medium + + The default permissions have changed such that a remote kermit can no longer + turn around a connection and control a local kermit. Furthermore, the default + settings no longer permits overwriting a local file. Both address security + vulnerabilities. + + For further information, including information on restoring previous defaults, + see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123025 + + -- John Goerzen Mon, 15 Dec 2025 19:11:21 -0600 diff -Nru ckermit-416~beta12/debian/changelog ckermit-416~beta12/debian/changelog --- ckermit-416~beta12/debian/changelog 2025-04-05 04:59:58.000000000 +0000 +++ ckermit-416~beta12/debian/changelog 2026-03-04 17:30:35.000000000 +0000 @@ -1,3 +1,14 @@ +ckermit (416~beta12-1+deb13u1) trixie; urgency=medium + + * Non-maintainer upload. + + [ John Goerzen ] + * CVE-2025-68920: Block remote control of the local kermit by default. + Closes: #1123025 + * Permanently disable OpenSSL version check. Closes: #1118629. + + -- Adrian Bunk Wed, 04 Mar 2026 19:30:35 +0200 + ckermit (416~beta12-1) unstable; urgency=medium * New upstream release diff -Nru ckermit-416~beta12/debian/patches/openssl-check-disable ckermit-416~beta12/debian/patches/openssl-check-disable --- ckermit-416~beta12/debian/patches/openssl-check-disable 1970-01-01 00:00:00.000000000 +0000 +++ ckermit-416~beta12/debian/patches/openssl-check-disable 2026-03-04 17:30:35.000000000 +0000 @@ -0,0 +1,85 @@ +--- a/ck_ssl.c ++++ b/ck_ssl.c +@@ -1529,82 +1529,6 @@ + debug(F110,"OpenSSL Library",SSLeay_version(SSLEAY_CFLAGS),0); + debug(F110,"OpenSSL Library",SSLeay_version(SSLEAY_PLATFORM),0); + +- /* The following test is suggested by Richard Levitte */ +- /* if (((OPENSSL_VERSION_NUMBER ^ SSLeay()) & 0xffffff0f) */ +- /* Modified by Adam Friedlander for OpenSSL >= 1.0.0 */ +- if (OPENSSL_VERSION_NUMBER > SSLeay() +- || ((OPENSSL_VERSION_NUMBER ^ SSLeay()) & COMPAT_VERSION_MASK) +-#ifdef OS2 +-/* DG 2024-08-05: Not sure what the point of this was. Presumably the goal was +- * to prevent updated OpenSSL libraries from being used, though why you'd +- * want to do that I'm not sure. Might have been to do with how Kermit 95s +- * SSH code was built way back in the early 2000s I guess. Today Kermit 95s +- * use of OpenSSL is largely the same as how C-Kermit uses it on other +- * platforms so I don't see any reason to treat it differently here. +- || ckstrcmp(OPENSSL_VERSION_TEXT,(char *)SSLeay_version(SSLEAY_VERSION),-1,1) +-*/ +-#endif /* OS2 */ +- ) { +- ssl_installed = 0; +- debug(F111,"OpenSSL Version does not match. Built with", +- SSLeay_version(SSLEAY_VERSION),SSLEAY_VERSION_NUMBER); +- printf("?OpenSSL libraries do not match required version:\r\n"); +- printf(" . C-Kermit built with %s\r\n",OPENSSL_VERSION_TEXT); +- printf(" . Version found %s\r\n",SSLeay_version(SSLEAY_VERSION)); +-#ifdef OPENSSL_100 +- printf(" OpenSSL versions 1.0.0 or newer must be the same\r\n"); +- printf(" major and minor version number, and Kermit may not\r\n"); +- printf(" be used with a version of OpenSSL older than the one\r\n"); +- printf(" supplied at compile time.\r\n"); +-#else +- printf(" OpenSSL versions prior to 1.0.0 must be the same.\r\n"); +-#endif /* OPENSSL_100 */ +- +- s = "R"; +-#ifdef SOLARIS +- printf(" Set CD_LIBRARY_PATH for %s.\r\n",OPENSSL_VERSION_TEXT); +- s = " Or r"; +-#endif /* SOLARIS */ +- +-#ifdef HPUX +- printf(" Set SHLIB_PATH for %s.\r\n",OPENSSL_VERSION_TEXT); +- s = " Or r"; +-#endif /* HPUX */ +- +-#ifdef AIX +- printf(" Set LIBPATH for %s.\r\n",OPENSSL_VERSION_TEXT); +- s = " Or r"; +-#endif /* AIX */ +- +-#ifdef LINUX +- printf(" Set LD_LIBRARY_PATH for %s.\r\n",OPENSSL_VERSION_TEXT); +- s = " Or r"; +-#endif /* LINUX */ +- +- printf(" %sebuild C-Kermit from source on this computer to make \ +-versions agree.\r\n",s); +- +-#ifdef KTARGET +- { +- char * s; +- s = KTARGET; +- if (!s) s = ""; +- if (!*s) s = "(unknown)"; +- printf(" C-Kermit makefile target: %s\r\n",s); +- } +-#endif /* KTARGET */ +- printf(" Or if that is what you did then try to find out why\r\n"); +- printf(" the program loader (image activator) is choosing a\r\n"); +- printf(" different OpenSSL library than the one specified in \ +-the build.\r\n\r\n"); +- printf(" All SSL/TLS features disabled.\r\n\r\n"); +- bleep(BP_FAIL); +-#ifdef SSLDLL +- ck_ssl_unloaddll(); +- ck_crypto_unloaddll(); +-#endif /* SSLDLL */ +- return; +- } + #endif /* OS2ONLY */ + + /* init things so we will get meaningful error messages diff -Nru ckermit-416~beta12/debian/patches/remote-security.patch ckermit-416~beta12/debian/patches/remote-security.patch --- ckermit-416~beta12/debian/patches/remote-security.patch 1970-01-01 00:00:00.000000000 +0000 +++ ckermit-416~beta12/debian/patches/remote-security.patch 2026-03-04 17:30:35.000000000 +0000 @@ -0,0 +1,104 @@ +Description: Fix remote security hole +Author: John Goerzen +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123025 +Last-Update: 2025-12-15 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ + +Fix insecure defaults + +This can lead to data exfiltration and compromise + +Further information at http://bugs.debian.org/1123025 +--- a/ckcmai.c ++++ b/ckcmai.c +@@ -724,7 +724,7 @@ + #ifdef VMS /* Default filename collision action */ + XYFX_X, /* REPLACE for VAX/VMS */ + #else +- XYFX_B, /* BACKUP for everybody else */ ++ XYFX_D, /* REJECT for everybody else */ + #endif /* VMS */ + + #ifdef OS2 /* Flag for file name conversion */ +@@ -1574,37 +1574,37 @@ + only as initial (default) values. + */ + int en_xit = 2; /* EXIT */ +-int en_cwd = 3; /* CD/CWD */ +-int en_cpy = 3; /* COPY */ ++int en_cwd = 2; /* CD/CWD */ ++int en_cpy = 2; /* COPY */ + int en_del = 2; /* DELETE */ +-int en_mkd = 3; /* MKDIR */ ++int en_mkd = 2; /* MKDIR */ + int en_rmd = 2; /* RMDIR */ +-int en_dir = 3; /* DIRECTORY */ +-int en_fin = 3; /* FINISH */ +-int en_get = 3; /* GET */ ++int en_dir = 2; /* DIRECTORY */ ++int en_fin = 2; /* FINISH */ ++int en_get = 2; /* GET */ + #ifndef NOPUSH + int en_hos = 2; /* HOST enabled */ + #else + int en_hos = 0; /* HOST disabled */ + #endif /* NOPUSH */ +-int en_ren = 3; /* RENAME */ +-int en_sen = 3; /* SEND */ +-int en_set = 3; /* SET */ +-int en_spa = 3; /* SPACE */ +-int en_typ = 3; /* TYPE */ +-int en_who = 3; /* WHO */ ++int en_ren = 2; /* RENAME */ ++int en_sen = 2; /* SEND */ ++int en_set = 2; /* SET */ ++int en_spa = 2; /* SPACE */ ++int en_typ = 2; /* TYPE */ ++int en_who = 2; /* WHO */ + #ifdef datageneral + /* Data General AOS/VS can't do this */ + int en_bye = 0; /* BYE */ + #else + int en_bye = 2; /* PCs in local mode... */ + #endif /* datageneral */ +-int en_asg = 3; /* ASSIGN */ +-int en_que = 3; /* QUERY */ ++int en_asg = 2; /* ASSIGN */ ++int en_que = 2; /* QUERY */ + int en_ret = 2; /* RETRIEVE */ +-int en_mai = 3; /* MAIL */ +-int en_pri = 3; /* PRINT */ +-int en_ena = 3; /* ENABLE */ ++int en_mai = 2; /* MAIL */ ++int en_pri = 2; /* PRINT */ ++int en_ena = 2; /* ENABLE */ + #else + int en_xit = 0, en_cwd = 0, en_cpy = 0, en_del = 0, en_mkd = 0, en_rmd = 0, + en_dir = 0, en_fin = 0, en_get = 0, en_hos = 0, en_ren = 0, en_sen = 0, +--- a/ckuus2.c ++++ b/ckuus2.c +@@ -4138,12 +4138,12 @@ + "SET FILE COLLISION option", + " Tells what to do when a file arrives that has the same name as", + " an existing file. The options are:", +-" BACKUP (default) - Rename the old file to a new, unique name and store", ++" BACKUP - Rename the old file to a new, unique name and store", + " the incoming file under the name it was sent with.", + " OVERWRITE - Overwrite (replace) the existing file; doesn't work for", + " a Kermit server unless you also tell it to ENABLE DELETE.", + " APPEND - Append the incoming file to the end of the existing file.", +-" REJECT - Refuse and/or discard the incoming file (= DISCARD).", ++" REJECT (default) - Refuse and/or discard the incoming file (= DISCARD).", + " RENAME - Give the incoming file a unique name.", + " UPDATE - Accept the incoming file only if newer than the existing file.", + " ", +@@ -7929,7 +7929,7 @@ + "SET TERMINAL AUTODOWNLOAD { ON, OFF, ERROR { STOP, CONTINUE } }", + " enables/disables automatic switching into file-transfer mode when a Kermit", + " or ZMODEM file transfer has been detected during CONNECT mode or while", +-" an INPUT command is active. Default is OFF.", ++" an INPUT command is active. Default is ON.", + #else + "SET TERMINAL AUTODOWNLOAD { ON, OFF, ERROR { STOP, CONTINUE } }", + " enables/disables automatic switching into file-transfer mode when a Kermit", diff -Nru ckermit-416~beta12/debian/patches/series ckermit-416~beta12/debian/patches/series --- ckermit-416~beta12/debian/patches/series 2025-04-05 04:59:58.000000000 +0000 +++ ckermit-416~beta12/debian/patches/series 2026-03-04 17:30:35.000000000 +0000 @@ -1,2 +1,4 @@ +openssl-check-disable ck_patch.patch cflags.patch +remote-security.patch